# Pro-active: Risk and Opportunity Management

Developed by Nicolaj J. B. Thomsen

## Abstract

Pro-active risk and opportunity management (P-AROM shorten for the sake of this articles length) considers negative and positive events in a project whereas risk and opportunities are the outcome of the events respectively. The purpose being mitigation of risks and enhancement of opportunities in the early phase of the project hereby gaining higher return of investment for the stakeholders. [1] Risk control is a tool used as P-AROM to fulfil its purpose. To obtain risk control a process with four stages is used. First step in the process is to identify the risks, then assess the risks, treat the risks and at last review the treatment of the risks which result in risk control. The fourth step of the process, review, is done for analysing the success rate of the risks responses/treatments.

Risk as definition is probability P times the impact I giving the formula:[2]

$R=I\cdot P$

Key elements in risk management is to control the probability and impact that events will occur and have. For P-AROM the key is to predict and manage these two values, done with different models, tools and methods described further in this article. Which result in mitigation of risks and enhancement of opportunities that will insure cost and time benefits and increased scope quality.

This tool can be used in any projects but with a high demand on cost, it is often seen optimal in medium to large project e.g. the new super hospitals construction projects in Denmark. The unpredicted cost overruns fund was initially estimated to 7-8% of the budget as a result from a P-AROM analysis done for the projects in the capital region of Denmark. This was later changed to 10-15% in the project process due to higher amount of unpredicted expenses [3]. Which is know as reactive risk management that do changes and solutions due to complications in a on-going project. Thus a limitation of P-AROM is that prediction of every possible scenario is impossible. P-AROM is not limited to the construction industry it can be used for any industry and project, due to it providing necessary analysis of complications that can occur. This article will explain the methodology of P-AROM with an additionally amplification of the method in real cases.

## Introduction

Figure 1. Four stages of classic risk management towards risk control.[4]

Risk management is in general attained by four stages that leads to risk control this process is shown on figure 1. The four stages that form the risk control will be analysed with the perspective of P-AROM. The first phase is the identification of the event which is further specified. The outcome being a list of expected events that can either have a positive effect which is opportunities for the project if govern correctly, or the events can have a negative result leading to risks for the project that is needed to be mitigated. From identification the next phase is assessment of the identified risks and opportunities which by analysis gives the stakeholders possibilities of making a qualified decision, when taking action towards enhancing opportunities and minimizing risks. With a good assessment the risk managers can continue to the next phase which is treating the risks and opportunities. A bad treatment can lead to project failure, cost overruns, time delays, lower scope quality etc. Therefore has the treatment of the events a high influence on how well a projects success rate becomes. With treatment being allocated to the events its effect will be reviewed, being the fourth stage towards risk control. Here complications within the treatment will be identified and reviewed to determined whether the treatment was a success or failure, resulting in the stakeholders to either accept or reject the treatment. From this the identification of the treatments that was not fulfilling will be identified and the cycle of the four phases will be repeated, as shown in the figure 1, thus leading to risk control. From the P-AROM perspective insurance of as few as possible surprise events resulting in cost overruns, time delays and lower scope quality is key. Stakeholders benefits from the tool of P-AROM in mitigation of unwanted incidents that can result in numerous complications for the project and wanted opportunities to be exploited.

The first step, identification, will be addressed in the following.

## Identify Risks

The identification of events has the purpose to determine whether they are positive or negative for the project[1]. Positive outcomes will be categorised as opportunities whereas the negative events will be considered risks for the project. This can change the life cycle of the project process[5]. An opportunity can e.g. mitigate the time development of a certain product within the project. This could be a technological system within a bank that handles clients return of interest in their saving accounts, the developers could discover a new method for handling the data with the positive outcome of minimizing errors. An opportunity could also be material deliverables to a construction site where the collaboration of transport between two stakeholders would lead to a more cost beneficial outcome. Negative events categorised as risks for the project could example cause cost overruns or time delays. E.g. of a time delay could be if resource based managers can not deliver the resources for the scope due to difficulties in the development team that causes delays on the detail drawings. Hereby will the identification help risk managers to locate the problem of the delay and begin assessing it. Resource based manager has to manage and are responsible for the delivery of resources to a project. Identification phase is only identifying possible events that could occur with the assessment and treatment being further steps into the process of risk control. Additionally from the DS/ISO standard should the identification process involve as many stakeholders within the project as possible e.g. project customers, project manager, project team, senior managers, risk managers, clients, users etc [5]. Thus mitigating the chance of this process to oversee any opportunities or risks. The second step in P-AROM is assessing the identified events.

## Assess Risks

Figure 2. Impacts within a project with four project objectives.[4]
Figure 3. Probability and impact matrix.[6]

The assessment of the events that has been identified is done to gain knowledge of which risks and opportunities that should be prioritized[1][5]. How to determine the priority is through analysis of the probability for the events occurrence and the impact they will have on the project objectives[4]. When focusing on the risks the magnitude is given by the formula[2]:

$R=I\cdot P$

Key stakeholders risk tolerance are considered a higher priority when the impact of the risks is determined. E.g. if a risk is analysed to directly affect the client or the main investors the impact of that risk will be considered high compared to a risk that a smaller resource based manager in the project could experience. This is due to if key stakeholders in the project withdraws the funding as a result of a negative event the project could be terminated. Whereas if a resource based manager experiences negative events which can result in time delays, lower scope quality and/or cost overruns that hurts the project but does not terminate it.

Considering P-AROM the goal is to analyse the identified risks before the project has begun with the benefit of cost savings. A golden rule within a projects process is that the earlier important decisions are made the greater the return of investment[7].

The impact in the equation of risk can be considered in four categories cost, time, scope and quality as shown in figure 2. Already discussed is the cost and time influence in a project but the scope within the project must also be considered when investigating impact. Scope measures the whole process of producing a product. Risk that has a high impact can result in the scope being effectively useless or unacceptable which the stakeholders must address. Furthermore is the quality of the project measured when observing impact. E.g. must the stakeholders be informed if a reduction of scope quality has been detected in the production, with the outcome of them approving or discarding the product.

The popular risk management tool probability/impact matrix shown in figure 3. is used to assess risks. Observing the figure a high impact low probability is explained as rare catastrophe which e.g. cold be a weather storm that ruins scaffolding at a construction site and thereby delaying construction work considerable. This is for a P-AROM perspective very difficult to address but should be implemented pre-handedly in the unpredicted expenses account. For high impact high probability the figure describes this as a probable disaster where a risk manager prevent and mitigate these kind of events as much as possible.

Opportunities in a project that is realised in the early faces is the assessment used to provide the stakeholders with information of how well the opportunities can be exploited. Thus giving them an analysis of how to reach the opportunity and what it provides within the project.

From the analysis the stakeholders must chose the best treatment of the events. This is done by comparing treatments with focus on which is the most effective, has the highest chance of success, the one that is most cost beneficial etc. Thus follows the treatment of risks.

## Treat Risks

The third process step in controlling risks is the treatment, with the purpose of determining the actions needed to reduce the risks and enhance opportunities that have been analysed in the assessment[5]. The overall purpose for treatment of the events is for the stakeholders to delegate the resources into the opportunities and risks found in the identification and assessment stages, thus achieving the highest possible return of investment. From DS/ISO it is stated: "Risk treatment includes measures to avoid the risk, to mitigate the risk, to deflect the risk or to develop contingency plans to be used if the risk occurs." [5]. Possible actions for the stakeholders will be discussed in the risk control paragraph under risk responses. How well a treatment of risks or opportunities is handled determines the projects success with the degree that the outcome of a bad treatment can result in project failure or zero budget benefits. While a good treatment of events can lead to enhanced cost and time benefits and scope quality. When the treatment has been chosen and the result of it conducted the next process is reviewing the outcome. Hereby will the treatments success rate be investigated which is further explained in the following.

## Risk Review

Risk management is a constant process of the four stages with the control as an outcome. The review stage has a goal of monitoring the treatment and update the risk register (explained under the risk control paragraph)[4]. The monitoring of the treatment is for assurance of effectiveness and quality of that process. If mistakes were to occur in the treatment the review process will have the purpose of detecting it, thus providing the treatment to be fulfilled without incompletions or gaps. The review will update the risk register herewith linking back to the identification stage where new and old risks will be identified and then analysed once again. Thus insuring the treatment was a success and providing the project with risk control.

Opportunities within the project will benefit from the review phase by the insurance of the treatment was as optimal as possible. Furthermore reviewing the treatment could lead to discovering additional opportunities to be exploited. It would also detect treatment that did not optimise the project and providing the stakeholders with the option of discarding for cost beneficial reasons.

The review finishes the circle with the risk control as the wanted outcome. The control of risks is further addressed in the following section which connects all the four stages in the process.

## Risk Control

The objective to control risks is to mitigate the risks and enhance the opportunities that influences the project by using the stages explained. Pro.active actions is modifying the process to avoid and reduce deviations from the original plan. Compared to corrective actions that handles current events which has caused deviation of the original project plan [1].

Controlling a project from a P-AROM perspective is the key to provide stakeholders with information usable for early decision making, with the benefit of high return of investment. P-AROM can be used to control the scope of the project with the purpose of smoothing process by maximising opportunities and minimising risks. Tools to reach control of scope: progress data, scope statement, work breakdown structure, activity list and change request [1]. Additionally resource control would be carried out to insure availability thus the project work would not experience time delays. Tools used for resource control: project plans, staff assignments, resource availability, progress data, resource requirements, change requests and corrective actions [1]. A great addition that P-AROM can provide for a project is scheduling control. Good planning will provide fewer complications within the project. E.g. in a construction project an electrician can not install modules and wiring if the walls have not been made. Thus a good planner will safeguard that the electrician is scheduled to work after walls have been set up. Tools used for scheduling control: project plans, schedule, progress data, change requests and corrective actions [1]. Cost control is an on-going monitoring threw-out the project life cycle with the desire to mitigate budget overruns. E.g. altering the schedule for more time efficiency will be costly due to the stakeholders demands of raise in investment for the extra labour. Tools to obtain cost control: project plans, budget, progress data, actual costs, forecasted cost, change requests and corrective actions.[1] Quality control insures standards are being met, the objective of the project is obtained and reduce unwanted failures in the scope. For this tools that can be used for delivering quality control: Deliverables, quality plan, quality control measurements, verified deliverables, inspection reports, progress data, change requests and corrective actions.[1] These different control areas will help to a minimization of needed risk control. Risk control is done to mitigate the disruption that the project could encounter such as stated earlier. The tools to risk control is formulated: project plans, risk register, risk responses, progress data, change requests and corrective actions.[1] All these aspects for controlling will increase the possibility for project success.

Figure 4. Inputs and outputs for risk control.[5]

DS/ISO defines the inputs and outputs for controlling risks as shown in figure 4. The inputs for controlling is a collection of the prior stages outputs in the process thus achieving risk control. The outputs is actions with the intent to mitigate damages to the project. E.g. could this be to diminish cost overruns, insure quality of the scope, effectiveness of the scheduling resulting in mitigation of time delays.

The different primary inputs and outputs for risk control is explained further[5]. Risk register is the primary output from the identification phase this benefits the risk control by sorting of the different events that from the phase as been identified. With the register an overview is provided to the stakeholders that keeps the focus of the possible events.

Progress data is determined to insure that the treatment applied is working as wanted.

Project plans is an outcome of the risk control cycle which is the plans of action attributed from the stakeholders with in the project.

Risk responses is from the treatment of the risks phase, thus providing stakeholders with five choices of responses.[6] First Accept the risk simply accept that this risk can occur without further engagement, this is often chosen with risk that have a low probability. Second Eternalise the risk is delegating the risk to a subcontractor often done when the contractor has more experience or better knowledge of the dependant risk. Third Mitigate the risk this is done to minimise the probability of the risk to occur often done by changing scope of the project. This is the most used response to risks and thereby one of the greatest reasons for P-AROM has such a high importance for the project manager. Fourth Insure or hedge against the risk done to prevent risks such as fires where the impact will be high but the probability is low. The solution is not always available due to the insurance companies acceptance is needed. Fifth Delay the decision is done when more information is analysed to give a better outcome of the treatment.

The two outputs shown in figure 4. is elaborated on further. Change requests is the state where the outcome of the treatment has been decided to change a direction or decision from the original project plan. A simple example could be a firm producing televisions, that discovers the remote produced does not have sufficient possibilities for clients to control the television as wanted. A change request would then come from the product development team for including the features wanted. The second output from risks control is corrective actions which is an action taking within a firm for either manufacturing, systems, documentation or procedures to reassure quality of scope, be within budget and no time delays. E.g. could be a product resource that stops delivering here actions must be taken to either work more efficient with the resources provided or get a new delivery where stakeholders has to accept the related extra cost. Both the outcomes would often be a reactive risks management thus meaning that P-AROM have limitations.

Figure 5. Poke Yoke example.[8]

A third risk control output, not shown on the figure, is a P-AROM orientated action known as preventive actions[7] this is a action taken to prevent negative events. The action is based of analysis of the product or from managers experience. E.g. the car company Toyota has one of the worlds best developed production systems. Which has been under development since 1950's with the goal of efficient and fast production [8]. The production system is a product of well performed P-AROM that has improve the companies value and efficiency. Solutions that has been made in the production of Toyota cars is e.g. Poka Yoke which insures that wrong assembling can not occur. This is done by making connections between two components impossible to do wrong as shown in figure 5. Prevention action often have a high return of investment due to changes made in the early stages of a project is cheaper rather than later.

## Limitation of the Tool

The limitation of P-AROM is the need for preventive risk management. There will always be unexpected events within a project where a preventive action must be taken to get the project back on track. This means that P-AROM is not sufficient for stakeholders to invest in which means that risk management rely heavily on a good budget. Furthermore is the process of P-AROM costly due to the high amount of labour and hours to identify, assess and treat possible events. Due to the cost of risk management project with low budget can experience limitation in possible death of the risk management. Thus providing higher risks of uncertainties and limited options to exploit opportunities.

## Annotated Bibliography

How to do project?: Covers the basics of project management with focus in projects and the four perspective of projects; purpose, people, complexity and uncertainty. Using Probability – Impact Matrix in Analysis and Risk Assessment Projects: Had the focus of risk management with different tools such as impact/probability matrix with the R=I*P match model. The article further developed understanding of risk managements importance within projects and used tools to determined impacts measures of different risk events. Paradigme for styringsmanual for Region Hovedstadens Kvalitetsfonds Byggeprojekter: This was a given article from a project leader within the new super hospitals being build in Denmark. It simply contains information of how the project is delegated with meetings, P-AROM, budget, scope etc. Lecture from project management MEP-4: This was a power point from the bachelor course project management provided by DTU. The power point and lecture details the perspective uncertainty with definition, tools, how to react and the four stages towards risk control; identification, assessment, treatment and review. Guidance on project management: Is from an DS/ISO standard that concentrates in explaining how that standard way of treating project management should be done. Furthermore definition of tools and perspectives within management is elaborated on. This source was used to better understand risk controlling. Managing construction projects: This is a book on project management within constructions. Used in detail to understand risk responses and probability/impact matrix. The book itself covers a lot with in project management such as managing stakeholders, budget, scope, schedule etc. https://simplicable.com: Was a source that described preventive actions and change request. With examples and definitions of the two. Lecture from Planning and management in construction, Lean construction and last planner system: A lecture in the course Planning and management in construction provided by DTU. This lecture explained how P-AROM if beneficial for project and companies. Further elaborating on tools that was used in real cases.

## References

1. 1.0 1.1 1.2 1.3 1.4 1.5 1.6 1.7 1.8 1.9 Geraldi, Joana and Thuesen, Christian and Stingl, Verena and Oehmen, Josef (2017) How to DO Projects? A Nordic Flavour to Managing Projects Version 1.0, Publisher: Dansk Standard
2. 2.0 2.1 Dumbravă, Vasile and Severian Iacob, Vlăduț (2013) Using Probability – Impact Matrix in Analysis and Risk Assessment Projects, Publisher: Scientific Papers (www.scientificpapers.org) Journal of Knowledge Management, Economics and Information Technology
3. Enhed for Byggestyring (2017) Paradigme for styringsmanual for Region Hovedstadens Kvalitetsfonds Byggeprojekter Version 3.0, Publisher: Region Hovedstanden
4. 4.0 4.1 4.2 4.3 Geraldi, Joana and Thuesen, Christian (2017) Lecture from project management MEP-4, Publisher: Technical University of Denmark
5. 5.0 5.1 5.2 5.3 5.4 5.5 5.6 Guidance on project management (2013) DS/ISO 21500 Version 2.0, Publisher: Dansk Standard
6. 6.0 6.1 Winch, Graham M. (2010) Managing construction projects Version 2.0, Publisher: 2010 Blackwell Publishing Ltd and 2002 Blackwell Science Ltd
7. 7.0 7.1 https://simplicable.com (website copy right 2002-2017) , Publisher: copyscape
8. 8.0 8.1 Simonsen, Rolf (2017) Lecture from Planning and management in construction, Lean construction and last planner system, Publisher: Technical University of Denmark